Meraki

Community

Redundant IPSec VPN with AWS

Kamome
Building a reputation
‎Jun 16 2019 10:26 PM
‎Jun 16 2019 10:26 PM

Redundant IPSec VPN with AWS

I have one pair of MX configured as Warm-Spare without WAN VIP.

On the AWS side, I've created two VPN Tunnel and each tunnel's peer is MX#1(with CGW#1) and MX#2(with CGW#2). When I did configuring, MX#2 was primary device.

According to MX's working mechanism, only primary device establish VPN connection. Thus, while AWS tries CGW#1<=> MX#1 and CGW#2 <=> MX#2, MX side tries MX#2 <=> CGW#1/2.

 

001.png

 

After configuring, VPN tunnel CGW#2 <=> MX#2 goes up and running well. Next hop for AWS VPC was CGW#2. I was able to ping to EC2 instance.

 

Problem comes up when failover occures.

After MX#1 became primary, MX#1 tries to establish VPN connection with CGW#1 and CGW#2. On the AWS side, still tries CGW#1<=> MX#1 and CGW#2 <=> MX#2. Therefore only VPN tunnel between CGW#1 <=> MX#1 comes up.

 

002.png

 

It looks ok on first sight. VPN tunnel for CGW#1 <=> MX#1 is up and CGW#2 <=> MX#2 is down. But I was unable to ping to EC2. When I checked routing table, next hop for AWS VPC was still CGW#2 untill remove CGW#2 <=> MX#2 from Non-Meraki VPN peer configuration or make MX#2 as primary. After MX#2 became primary again, everything back to normal and able to connect to EC2.

 

Is there any way to achive AWS <-> Meraki IPSec VPN redundancy with warm-spare configuration? I asked this situation to my local Cisco Meraki engineer, and he says that I have to configure WAN VIP to make it redundant. But if I do that, I can't achive ISP redundancy. Is WAN VIP only solution?

0 Kudos
1 Reply 1
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 17 2019 12:08 AM
‎Jun 17 2019 12:08 AM

You wont be able to achieve both MX and ISP redundancy with a VPN to Amazon using this method.

 

If it is that important to you I would change to using the VMX in Amazon.  This will be far the simplest solution.

 

You could use two active/active MX in VPN concentrator mode, then put them behind a warm spare pare of MX (these two MX could run active/active as well if you like).  Then use a layer 3 switch and a dynamic routing protocol between the two MX in VPN concentrator mode.

If you are using warm spare mode and this type of configuration you really want both ISPs to plug into both MX to keep NAT simple.

 

If you want another complicated solution and don't mind running a script somewhere you could also consider using tag based VPN failover.

https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.